Tuesday, January 20, 2015

Creating custom SonicWall IPS signatures

Creating custom SonicWall IPS signatures

I’m going to show how to use Kali Linux and Windows 7 Pro running in VMware Workstation to create a packet capture for the creation of a SonicWall IPS signature to detect a reverse shell. Before writing this article I talked to SonicWall support and asked them if the IPS signatures already detected netcat reverse shells and was told that they do not. After creating this article, I discovered during testing that they actually do. We can still use this article as a reference to create custom IPS signatures in the future so all is not wasted.

On your Kali vm, open a terminal and enter “ncat -l”. This starts ncat listening for our reverse shell on the default port 31337. You may specify a different port: “ncat -l 4444” for example.

In Kali, start Wireshark and make a note of the IP address of the interface you are using for your capture. Start the Wireshark capture.

In Windows, download netcat from http://joncraton.org/files/nc111nt.zip and unzip it to the directory of your choice. Open a cmd prompt and either cd to the directory where netcat is extracted, or enter the path with the following command: “nc -e 31337”

On Kali, once the Windows 7 machine connects to our ncat listener you will see your Windows command prompt with the Windows version number. Stop the Wireshark capture. In wireshark, enter a filter to find the right packet: ip.src== and apply it.

Scroll down through the filtered frames until you see:

Click File > Export selected packet, and check “Selected packet only” and save it to your desktop.

I installed the Okteta hex editor in Kali; “apt-get install okteta”. There is a command line hex editor already installed in Kali, however I didn’t want to take the time to learn a cli hex editor since I had a deadline to get this done. I’ll take the time to learn hexedit later.

Open Okteta and open your packet capture that contains the one frame we’re interested in that you previously saved. Highlight the part you see highlighted below since we don’t want to include the directory path in our signature since that may vary. If you use anything beyond “Version 6.1.” then you will need to edit the capture in your hex editor and export a copy for EVERY version of Windows that you need to protect.

Click File > Export > Values, delete out the space in the Separation field to remove the spaces in the Preview field, and click the Export to File button.

To add the new signature, you need to add a new “Match Object”. In the SonicWall web interface, go to Firewall > Match Objects, and at the bottom click “Add new match object”. Enter your object name, I used “Windows Reverse Shell”, Match Object Type should be “Custom Object”, Match Type should be “Exact Match”, Input Representation should be “Hexadecimal”, now paste your hex code you extracted from the hex editor earlier and then click “Add” and then “Ok”.

Create a new app rule: